Web Server Security 101: Tips, Tricks & Examples
37% of engineering teams have experienced a security breach, and 26% of all breaches originate from web-based attacks―learning how to protect your customers’ interests is key to your online business. At Onboardbase, we take development safety to heart. In this article, you will learn basic web server security best practices to get you started as simply as possible, no matter your background as a web developer.
What Is Web Server Security
Web server security overviews tools and processes to prevent unwanted behaviors on a web server―unexpected data retrieval and manipulation.
If you’ve ever implemented a user account system, you’ve already dwelled in web server security to authenticate and authorize your app users. Security is an integral part of every web developer’s job!
Why Web Server Security
Web server security is about protecting your software from web server attacks. It just doesn’t feel nice to see your team’s months of work go down the drain because of ill-intentioned Internet strangers.
Whether you are in B2B or B2C, your software must ensure some sort of service-level agreement as an indicator of quality. According to IBM security, a data breach costs $4.24 million on average, and it’s easy to guess why: fixing a security breach will not only affect your customers and lose your contracts, but also take person-hours to fix. Ignoring web security brings a bundle of time, stress, and money costs.
More importantly, bad security is terrible marketing because trust is the basis of all sustainable relationships.
Web Server Security Checklist: 8 Steps To Get Started
1. Secure Your App Secrets
Whatever your tech stack might be, you probably use app secrets to interact with backend services. If you use a database, you need a username and a password to perform transactions. If you use a third-party service like Twitter, you need an Oauth token to interact with the API.
Securing your environment variables and login credentials is key to preventing unauthorized use:
- Don’t hard-code API keys and credentials in your programs - Define local environment variables in a .env file to restrict access to sensitive information.
- Don’t commit .env files to git repositories - Add your .env files to the list of ignored files in .gitignore.
- Replace .env files with Onboardbase - You can use Onboardbase to integrate your app secrets from a central secure location at build time, removing the need to define environment variables in your file system entirely.
2. Default To HTTPS / TLS
6% of the world’s largest websites still don’t use secure connections over HTTPS, leaving them open to data breaches on insecure (public and private) networks. HTTPS is HTTP with TLS (Transport Layer Security) encryption, which allows encrypting requests and responses to/from web servers.
Without encryption, hackers could intercept HTTP requests and read them to steal information or impersonate users. To prevent that:
- Use Let’s Encrypt to obtain TLS certificates - If your hosting provider gives you shell access to your server, Let’s Encrypt is the leading non-profit organization providing unlimited free TLS certificates to use HTTPS.
- Use Caddy as a secure web server - If you don’t want to bother installing TLS certificates yourself but have complete control over your hosting, you can use a web server like Caddy to request and renew TLS certificates for your sites automatically.
- Ask your provider to do it for you - Most hosting platforms will now offer HTTPs support almost out of the box. Some serverless providers like Netlify, Vercel, or Github Pages, for example, will provide HTTPS automatically or with the push of a button.
3. Prepare For DDoS Attacks
A distributed denial-of-service (DDoS) attack is basically about flooding a server with fake requests until it breaks using multiple virtual machines located in different parts of the world. 5.4 million DDoS attacks were orchestrated in the first semester of 2021 only―the most common type of cyber attack where websites of any size can be a target.
It doesn’t have to concern you though, as solutions for this are pretty simple to implement:
- Use a load balancer - A load balancer is a reverse proxy distributing traffic across several servers to eliminate bottlenecks.
- Use a Content Delivery Network - Cloudflare’s CDN is notorious for offering built-in DDoS protection, even though CDNs mitigate DoS attacks by design by distributing traffic geographically.
- Configure floating IPs - If you only use a single server and its IP gets leaked, you will need to change it to avoid recurring DDoS attacks. Floating IPs allow you to do that without having to migrate your entire configuration to a new machine.
4. Run Separate Development Environments
Properly testing and optimizing your development efforts is key to avoiding your code exposing security threats on your web server.
Having separate coding environments allows for seamless code releases throughout your product lifecycle:
- A development environment for programming new features and bug fixes on a local machine.
- A staging environment to test the code on remote web servers configured with production settings to mimic as closely as possible real-life conditions.
- A final production environment where the webserver listens to end-users requests and responds accordingly.
Onboardbase also makes it easy to dissociate app secrets and login credentials by project environment. For example, you can pick a project from your dashboard, add a new environment in a click, and switch between them seamlessly:
You can then use Onboardbase CLI’s setup command to interactively configure the right environment:
After the process, an onboardbase.yml file would be generated that looks like below:
setup: project: <THE PROJECT NAME> environment: <DEVELOPMENT OR STAGING>
onboardbase build --command="yarn build"
5. Leverage Server Logs
All web servers can log incoming requests, outgoing responses, and even steps in-between to text files, giving you precious indications on possible web server attacks. In the case of a denial of service attack for example, you could trace the IPs of the machines responsible for it and ban them from accessing your web server using htaccess files.
- Disable debugging logs Allowing all and every log to be written down on-disk will cause performance problems.
- Always be monitoring error logs - Your hosting provider likely provides an interface to monitor errors in production, but you also need an alert system to fix problems as they appear.
- Never enable debugging modes in production - Debugging features often give out sensitive information like system variables attackers can use to blackmail you, so it’s primordial to use your staging environment instead if you can’t find the source of an issue in development: never debug in production!
6. Adopt A Jamstack Architecture
Unlike a traditional monolithic software architecture, a Jamstack architecture is about pre-rendering your front-end into static pages and assets while decoupling your back-end logic into APIs and “headless” services. Its main benefit is to reduce the surface of vulnerabilities because using web servers to serve static files and generating web pages at runtime is drastically different: while the latter can be hacked with techniques like SQL injections, you can’t change the content of static files by manipulating HTTP requests. Your API endpoints become the only points of failure you’ll need to care about.
- Use headless CMS for your websites - More and more CMS like Wordpress offer a headless mode so you don’t have change your ways.
- Use static site generators to serve app shells and static web pages.
- Use JSON and frontend frameworks instead of server-generated HTML to update your web pages.
- Containerize APIs and databases - Technologies like Docker and Kubernetes add further resilience to your backend architecture. If your API presents a vulnerability, it can be quickly isolated inside its container instead of spreading to the whole server, for example.
7. Ensure Proper Authentication & Authorization
Secure authentication and authorization are vital in every part of a web application. Authentication verifies the identity of a user while authorization validates its access rights, making sure administrators, developers, and regular users do what they are supposed to do.
- Never store passwords in your web server database as plain text - always use encryption to verify user passwords
- Protect your web server FTP and SSH accesses - Developers might need remote access to web servers to push code to production. While your team can share login credentials with tools like Onboardbase, you will still need to prevent attackers from brute-forcing their way through with web server tools like Fail2ban.
- Think about access control and permissions thoroughly - Disallow file and endpoint accesses by default. Define clear roles and scopes for each specific use case, like uploading files to a web server for example.
8. Watch Out For SQL Injections & XSS Attacks
SQL injections and XSS attacks have been documented threats for decades now. Both originate from user-generated requests that have been poorly parsed and validated server-side.
- Sanitize all client inputs - never trust incoming requests and always prepare for the worst: check data types, ensure correct formatting, and escape characters that need to be escaped (quotes, backslashes, etc.). Do it both client-side and server-side.
- Use a database ORM to retrieve and manipulate database data safely
- Don’t store sensitive data client-side in cookies, localStorage, or indexedDB - that includes JSON web tokens or other authentication information. Anybody with access to your web browser can obtain those!
Use Onboardbase To Secure Your Web Server
Onboardbase makes developers’ lives easier by securing app secrets and credentials used by web servers. Combining a command line interface to easily integrate API keys in all development stages with a dashboard to centrally manage app configurations, it will help ensure strong web server security from the frontend and the backend alike. The best part? You can get started for free in a minute.
Subscribe to our newsletter
The latest news, articles, features and resources of Onboardbase, sent to your inbox weekly